Re: Url and application filtering on FTD

Vishal6 · ‎06-23-2025

Hello,

Wants to deployed MX105 at core level and FTD at perimeter level in our network. However i have procure utm licenses for MX appliances, not for FTD.

1. Can i achieve the url filtering at FTD after it gets filter from MX.

2. Wants to achieve load balancing using Meraki MX (using as a core FW) where FTD will be perimeter.

Attached diagram for reference.

MHM Cisco World · ‎06-23-2025

It ok to use ftd url filter after other fw (except it will little slow your traffic if first fw also use url filter)

For other Q can you more elaborate

Thanks

MHM

Vishal6 · ‎06-24-2025

What if FTD don't have any threat, malware and url filtering license? Still it will process the traffic coming via Mx

Aref Alsouqi · ‎06-25-2025

Can't see why not. Traffic routing will still work as normal, and the FTD will process that traffic just fine. The only thing is that the FTD in that case won't be doing any security inspection apart from the normal access lists checks.

Vishal6 · ‎06-23-2025

One more query,

As we are not directly connecting Mx to Internet, how warm spare works here ?.

Would MX capture both isp ip address via FTD

Will using single private uplink ip address (Link between FTD and MX) able to form warmspare ?

Aref Alsouqi · ‎06-23-2025

Yes it should work, because from the MXs perspective they just need to be connected to Meraki dashboard, it doesn't really matter if they are connected directly to the internet or via another device as in your case. When the primary MX doesn't reach the Meraki dashboard anymore it will be assumed that is down and the secondary MX will become the primary. In your shared diagram there are no links between the switches, I'm assuming the switches will be connected to each other and both firewalls will be connected to each switch. That will provide you full resiliency. Regarding using URL filtering on the MX, as already mentioned, that shouldn't be an issue, you can turn on whichever security features on the MX and do part of the security inspections on them and leave the rest for the FTDs based on the licenses installed.

Vishal6 · ‎06-24-2025

What about sdwan features on MX ?. Will it do load balancing as public IP link directly terminated on FTD and it (FTD) mostly use usp link for redundancy

Aref Alsouqi · ‎06-25-2025

I don't think that will work because even if connect each MX to both firewalls, one of the firewalls will be passive, so the MX will have no chance to load balance the traffic accross the two firewalls.

Vishal6 · ‎06-25-2025

Here 2 isp link will be terminated to both FTD, but primary FTD will use one isp at a time still it goes down. Can mx provide sdwan features here ?

Aref Alsouqi · ‎06-26-2025

I don't think it will because from the MX perspective it wouldn't be aware of the two ISP links nor their status, the MX would only have a point-to-point link to the active FTD. Why not to move the MXs to the edge and place the FTDs behind them?